2016 is already being dubbed “The Year of Ransomware” and ransomware features prominently in my upcoming “Mid-Year Threat Review” webinar. In that webinar I will also be talking about the IoT (Internet of Things) and more specifically the IoIT (the Internet of Insecure Things); mainly because risks arising from the latter are on the rise.
Don’t get me wrong, I’m not saying that the IoIT currently poses as big a threat as ransomware does. But part of my job is to look beyond the present – and I’m concerned that a future headline will read: “The Year of Jackware.”
What is jackware?
I define jackware as malicious software that seeks to take control of a device, the primary purpose of which is not data processing or digital communications. A car would be such a device. A lot of cars today do perform a lot of data processing and communicating, but their primary purpose is to get you from A to B. So think of jackware as a specialised form of ransomware. With regular ransomware, such as Locky and CryptoLocker, the malicious code encrypts documents on your computer and demands a ransom to unlock them. The goal of jackware is to lock up a car or other device until you pay up.
Fortunately, and I stress this: jackware is, as far as I know, still theoretical. It is not yet “in the wild”.
Unfortunately, based on past form, I don’t have great faith in the world’s ability to stop jackware being developed and deployed. We have already seen that a car company can ship more than a million vehicles containing vulnerabilities that could have been abused for jackware. I’m referring to the Fiat Chrysler Jeep problem that was all over the news last year. Just as serious as those vulnerabilities, in my opinion, was the apparent lack of planning for vulnerability patching in the vehicle design process. In other words, it is one thing to ship a digital product in which ‘holes’ are later discovered – in fact, this is pretty much inevitable – but it is a different and more dangerous thing to ship digital products without a quick and secure means of patching those holes.
And while most “car hacking” research and discussion centers on technical issues within the vehicle, it is important to realise that a lot of digital devices and IoT technology relies on a support system that extends well beyond the device itself. We saw this last year with VTech, a player in the IoCT space (as in Internet of Children’s Things). Weak security on the company’s website seriously exposed personal data about children, reminding everyone just how many attack surfaces the IoT creates. We also saw this infrastructure issue earlier this year when some Fitbit accounts had problems (to be clear, the Fitbit devices themselves were not hacked, and Fitbit definitely seems to take privacy seriously).
So what has this got to do with cars? Consider the recent news of bugs in the online service web app for BMW’s ConnectedDrive. There are a lot of interesting IoT aspects to ConnectedDrive. For example, you can use it to regulate your home’s heating, lights, and alarm system “comfortably from inside your vehicle”. The possibility that the features and settings of an in-vehicle system could be remotely administered through a portal that could be hacked is unsettling to say the least. And the reports of insecure smart car design keep coming, like this Wi-Fi enabled Mitsubishi, and hacked radios used to steal BMWs, Audis, and Toyotas.
To stop jackware being developed and deployed a number of things need to happen, in two different spheres of human activity. The first sphere is the technical sphere, where the challenge of implementing security on a vehicular platform is considerable. Consider the processing power and bandwidth required for traditional security techniques, like filtering, encrypting, and authenticating. This adds overhead to systems, some of which need to operate with very low latency. Security techniques like air-gapping and redundancy could potentially add significantly to the cost of vehicles. And we know that controlling costs has always been critical to car manufacturers, down to the last dollar.
The second sphere where action is required to head off jackware is policy and politics. The outlook here is not good because so far the world has failed abysmally when it comes to cybercrime deterrence. There has been a collective international failure to head off the establishment of a thriving criminal infrastructure in cyberspace, one that now threatens every innovation in digital technology you can think of, from telemedicine to drones to big data to self-driving cars.
Consider where we are right now, mid-2016. Ransomware is running rampant. Hundreds of thousands of people have already paid millions of dollars to criminals to get back the use of their own files or devices. And all the signs are that ransomware will continue to grow in scale and scope. Early ransomware variants failed to encrypt shadow copies and connected backup drives, so some victims could recover fairly easily. Now we’re seeing ransomware that encrypts or deletes shadow copies and hunts down connected backup drives to encrypt them as well.
At first, criminals deploying ransomware relied on victims clicking links in emails, opening attachments, or visiting infected websites. Now we’re also seeing the bad guys using hacking techniques like SQL injection to get into a targeted organization’s network, then strategically spread the ransomware, all the way to the servers (many of which may not be running anti-malware). The war stories from victims keep rolling in but there’s been very little in the way of indictments or arrests. Given the technical challenges of securing increasingly connected, computer-enabled vehicles, and the apparent lack of progress in deterring cybercrime, the outlook for jackware is not good (or rather, it is good if you’re a bad guy thinking about the long term).
Inevitability and ethics
So, is it inevitable that ransomware will eventually spawn jackware? Well, it certainly seems like a logical progression. A few months ago I was talking to noted Canadian automotive journalist David Booth. He has written about car hacking in the past and when I described how ransomware was attacking laptops and servers he quickly arrived at this headline: Ransomware is the future of car theft. In my opinion, he may well be right.
Article by Stephen Cobb, ESET senior security researcher